Preventing Misuse of Random Access Procedure in Wireless Communication System

ABSTRACT

A method for preventing misuse of a random access procedure in a mobile station including transmitting a random access preamble, receiving a random access response message addressed to an identifier that has a one-to-one association with the random access preamble transmitted by the mobile station, and decoding the random access response message.

FIELD OF THE DISCLOSURE

The present disclosure relates generally to wireless communications and more particularly to preventing the misuse of the random access procedure by malicious user terminals in wireless communication systems.

BACKGROUND

In 3GPP LTE, the RACH procedure consists of a UE sending a random access (RA) preamble to the eNB in a RACH occasion and receiving a random access response from the eNB. The RA response includes the RACH preamble used, a temporary C-RNTI assignment, and an UL resource assignment. The UE transmits “message 3” on the resource assigned in the RA response. The RA response is addressed (on the PDCCH) to the RA-RNTI corresponding to the RACH occasion that was used by the UE to transmit the RA preamble. In the contention based RACH procedure, message 3 can be an RRC Connection establishment request or an RRC Connection Re-establishment request. Below we show that the RACH procedure has a loophole that a malicious UE can exploit to deny service to other UEs. The LTE random access procedure is illustrated in FIG. 1.

Prior art FIG. 2 illustrates a known procedure for exploiting a RACH loophole. The malicious UE can simply listen for RA responses (by searching for valid RA-RNTIs on the PDCCH) and acquire the UL grants. It can then use the resource assigned in the UL grant to send a fake message 3. For example, the malicious UE sends an RRC Connection Re-establishment request as message 3 including in it a randomly chosen MAC-I, any C-RNTI and PCI. The eNB cannot identify the UE requesting the re-establishment; therefore it rejects the RRC connection establishment. The legitimate UE may have started the RACH procedure for an RRC connection re-establishment or an RRC connection establishment. In both cases the legitimate UE's attempt to send message 3 fails and it re-attempts the procedure. The malicious UE repeats the procedure and this leads to a denial of service to the legitimate UE.

Even with the non-contention RACH procedure, a malicious UE can deny service to the legitimate UE. For example, when UE performs a RACH for UL synchronization to a target cell during a handover, the malicious UE can capture the RA response and use the resource indicated in the UL grant to send an RRC connection re-establishment request indicating a handover failure. This leads the legitimate UE eventually to a handover failure.

The current LTE MAC specification TS 36.321 lists the structure of the Random access response message as illustrated in FIGS. 3-6. It shows that the RA preamble used by a UE is echoed in the MAC sub-header corresponding to the Random access response PDU intended for the UE. Note that an RA response message can contain multiple RA responses. That is, the RA response message can respond to multiple UEs that send RA preambles in a particular RACH occasion. Also note that the RA response message is addressed to an “RA-RNTI”. There is a one to one association between the RA-RNTIs and the RACH occasions in each radio frame.

The various aspects, features and advantages of the disclosure will become more fully apparent to those having ordinary skill in the art upon a careful consideration of the following Detailed Description thereof with the accompanying drawings described below. The drawings may have been simplified for clarity and are not necessarily drawn to scale.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 illustrates a prior art random access procedure.

FIG. 2 illustrates a prior art procedure for exploiting a random access procedure loop hole.

FIG. 3 illustrates an E/T/RAPID MAC sub-header.

FIG. 4 illustrates an E/T/R/R/BI MAC sub-header.

FIG. 3 illustrates an MAC RAR.

DETAILED DESCRIPTION

The disclosure focuses on constructing the Random access response such that only the intended UE can correctly utilize the UL grant included in it.

In a first embodiment of the disclosure, the UL grant is scrambled within the RA response message so that the malicious UE cannot correctly decode it. According to this embodiment, the eNB is configured to: compute a CRC over the MAC RAR block (shown in FIG. 5); scramble the computed CRC using the received RA preamble; scramble the MAC RAR block using the received RA preamble; and transmit the scrambled MAC RAR block and the scrambled CRC in the RA response message.

A UE that receives the RA response message and the MAC RAR block within it is configured to de-scramble the received MAC RAR block and the corresponding received CRC using the RA preamble it transmitted to obtain RAR-descrambled and CRC-descrambled respectively; and compute the CRC of RAR-descrambled. If the CRC of RAR-descrambled is equal to CRC-descrambled, then the UE considers the RAR to be intended for itself. Otherwise, the RAR is intended for a different UE. The RA preamble used by the legitimate UE is not known to the malicious UE. A malicious UE would have to try all of the 64 RA preambles to try to successfully decode the message. The CRC can be transmitted in place of the RA preamble ID (“RAPID”) in the current PDU structure.

According to another embodiment of the disclosure, the eNB addresses the RA response message to an RNTI that is offset from the (actual) RA-RNTI by the RA preamble received. Currently after transmitting a RACH preamble a UE awaits an RA response message addressed to an RA-RNTI, where RA-RNTI is t_id+10×f_id; where 0≦t_id<10 and 0≦f_id<6. The maximum value of the RA-RNTI is 59. Instead of this UE would await an RA response message addressed to an RNTI t_id+10×f_id+(pr×64), where pr is the RA-preamble received by the eNB. This ensures that the 6 least significant bits of the RNTI are the RA-RNTI and the next 6 least significant bits are the preamble pr.

A UE receives the RA response message by looking for the correct RNTI and a malicious UE is unable to determine the correct RNTI to look for because it is not aware of the RA preamble transmitted by the legitimate UE. This embodiment can be implemented entirely as a change in the MAC specification. It also eliminates the need to echo the RA preamble in the RA response message, thus making the RA response message smaller. Note that currently the MAC specification allows multiple RA responses to be included in a single RA response message. For the second embodiment to be used only one RA response can be included in a RA response message and this would require a change to the 3GPP LTE MAC specification.

According to a third embodiment of the disclosure, the eNB transmits a bit string S which is the result of applying a scrambling function SCR on the RA preamble ID. The intended UE can use this for verification. eNB assigns a resource R for message 3 transmission by signaling resource R+f(pr) in the UL grant, where pr is the RA preamble transmitted by the UE, and f is a function that maps preambles to discrete numerical offsets. The offsets can be either frequency offsets or time offsets. Note that if frequency offsets are used, f depends on the cell bandwidth.

A UE that receives the RA response message de-scrambles all the scrambled preamble IDs received and checks to see if the results include the preamble it transmitted. If the preamble ID it transmitted is included, it determines the starting resource block for message 3 transmission from the RB R′ signaled in the RA response as R′−f(pr).

While the present disclosure and the best modes thereof have been described in a manner establishing possession and enabling those of ordinary skill to make and use the same, it will be understood and appreciated that there are equivalents to the exemplary embodiments disclosed herein and that modifications and variations may be made thereto without departing from the scope and spirit of the inventions, which are to be limited not by the exemplary embodiments but by the appended claims. 

1. A method in a mobile station to prevent misuse of a random access procedure, the method comprising: transmitting a random access preamble; receiving a random access response message that is addressed to an identifier that has a one-to-one association with the random access preamble transmitted by the mobile station; and decoding the random access response message.
 2. The method according to claim 1, wherein the receiving a random access response message that is addressed to an identifier that has a one-to-one association with the random access preamble transmitted by the mobile station includes receiving a random access response message that is addressed to an identifier wherein one part of the identifier provides the identity of the random access preamble transmitted by the mobile station.
 3. The method according to claim 2, wherein the receiving a random access response message that is addressed to an identifier that has a one-to-one association with the random access preamble transmitted by the mobile station further includes receiving a random access response message that is addressed to an identifier wherein another part of the identifier provides the time of transmission of the random access preamble by the mobile station.
 4. The method according to claim 1 wherein the identifier is a radio network temporary identifier (RNTI).
 5. The method according to claim 1 further comprising: receiving a random access response message that is addressed to an identifier that does not have an association with the random access preamble transmitted by the mobile station, and discarding the random access response message.
 6. The method according to claim 1 further comprising: receiving an indication of a set of random access preambles and wherein the transmitting a random access preamble includes transmitting a random access preamble from the set of random access preambles.
 7. A method in a base station to prevent misuse of a random access procedure, the method comprising: receiving a random access preamble; constructing a random access response message that is addressed to an identifier that has a one-to-one association with the received random access preamble; and transmitting the random access response message.
 8. The method according to claim 7, wherein the constructing a random access response message that is addressed to an identifier that has a one-to-one association with the received random access preamble includes constructing a random access response message that is addressed to an identifier wherein one part of the identifier provides the identity of the received random access preamble.
 9. The method according to claim 8, wherein the constructing a random access response message that is addressed to an identifier that has a one-to-one association with the received random access preamble further includes constructing a random access response message that is addressed to an identifier wherein another part of the identifier identifies the time of reception of the received random access preamble.
 10. The method according to claim 7 wherein the identifier is a radio network temporary identifier (RNTI).
 11. The method according to claim 7 further comprising: Transmitting an indication of a set of random access preambles and wherein receiving a random access preamble includes receiving a random access preamble from the set of random access preambles.
 12. A wireless communication device comprising: a transceiver configured to transmit a random access preamble and receive a random access response message; a controller coupled to the transceiver, the controller configured to control operations of the wireless communication device, the controller including a random access response processing module, the random access response processing module configured to program the transceiver to receive random access response messages addressed to an identifier, wherein the identifier is derived from an identity of a random access preamble transmitted by the mobile station.
 13. A base station comprising: a transceiver configured to receive random access preambles and transmit random access responses; a controller coupled to the transceiver, the controller configured to allocate resources to mobile stations for transmission of messages, the controller including a random access response message generation module, the random access response message generation module configured to generate a random access response message addressed to an identifier, wherein the identifier is derived from a random access preamble transmitted by a mobile station. 